CVE-2026-34647 HIGH

CVE-2026-34647: Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)

Vendor Adobe

Product Adobe Commerce

Weakness CWE-918 · SSRF

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

7.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Key dates

02Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34647

Related vulnerabilities

04Related CVE

CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure) CVE-2026-4308 frdel/agent0ai agent-zero document_query.py handle_pdf_document server-side request forgery CVE-2026-2479 Responsive Lightbox & Gallery <= 2.7.1 - Authenticated (Author+) Server-Side Request Forgery via Remote Library Image Upload CVE-2025-58441 Knowage is vulnerable to blind server-side request forgery (SSRF) CVE-2022-0767 Server-Side Request Forgery (SSRF) in janeczku/calibre-web